Skip to content

fix(security): encode Address widget Places proxy query parameters#2265

Draft
cursor[bot] wants to merge 1 commit into
mainfrom
cursor/application-security-review-daa0
Draft

fix(security): encode Address widget Places proxy query parameters#2265
cursor[bot] wants to merge 1 commit into
mainfrom
cursor/application-security-review-daa0

Conversation

@cursor

@cursor cursor Bot commented Jun 8, 2026

Copy link
Copy Markdown

Vulnerability summary

The Address widget built Google Places autocomplete proxy URLs by interpolating user search text into a raw query string. A user (or anyone who can type into the field) could inject additional &key=value pairs — for example overriding the app's countryFilter restriction.

Affected location

  • modules/ensemble/lib/widget/address.dart (_getSearchResults, _getPlaceDetail)
  • modules/ensemble/lib/widget/address_url_builder.dart

Security impact

Severity: Medium
Attacker End user of an app using the Address widget
Controlled input Autocomplete search text (e.g. foo&components=country:US)
Reachability AddressState._getSearchResults() built URLs via string concatenation
Impact Injected query parameters can override developer-configured country filters and manipulate autocomplete results

Fix approach

Build proxy URLs with Uri.https and queryParameters so user input is percent-encoded.

Tests

  • modules/ensemble/test/address_url_security_test.dart
Open in Web View Automation 

@cursoragent @sharjeelyunus
fix(security): encode Address widget Places proxy query parameters
733fee2 
User-controlled autocomplete input was interpolated into a raw URL
string, allowing attackers to inject extra query parameters (for example
to override country filters). Build proxy URLs with Uri.https and add
regression tests.

Co-authored-by: Sharjeel Yunus <sharjeelyunus@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cursoragent